GSSAPI key exchange support

This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2013-11-09 Patch-Name: gssapi.patch
author: Simon Wilkinson <simon@sxw.org.uk> 2014-02-09 16:09:48 +0000
committer: Colin Watson <cjwatson@debian.org> 2014-02-09 16:16:58 +0000
commit: 950be7e1b1a01ee9b25e2a72726a6370b8acacb6 (patch)
tree: 64829a84f903d7e2d3270c43e3f80df7db2a6a10 /readconf.c
parent: ee196dab7c5f97f0b80c8099343a375bead92010 (diff)
1 files changed, 42 insertions, 0 deletions
diff --git a/readconf.c b/readconf.c
index 1464430a4..2695fd6c0 100644
--- a/readconf.c
+++ b/readconf.c
@@ -132,6 +132,8 @@ typedef enum {
        oClearAllForwardings, oNoHostAuthenticationForLocalhost,
        oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
        oAddressFamily, oGssAuthentication, oGssDelegateCreds,
+        oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
+        oGssServerIdentity, 
        oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
        oSendEnv, oControlPath, oControlMaster, oControlPersist,
        oHashKnownHosts,
@@ -172,10 +174,19 @@ static struct {
        { "afstokenpassing", oUnsupported },
 #if defined(GSSAPI)
        { "gssapiauthentication", oGssAuthentication },
+        { "gssapikeyexchange", oGssKeyEx },
        { "gssapidelegatecredentials", oGssDelegateCreds },
+        { "gssapitrustdns", oGssTrustDns },
+        { "gssapiclientidentity", oGssClientIdentity },
+        { "gssapiserveridentity", oGssServerIdentity },
+        { "gssapirenewalforcesrekey", oGssRenewalRekey },
 #else
        { "gssapiauthentication", oUnsupported },
+        { "gssapikeyexchange", oUnsupported },
        { "gssapidelegatecredentials", oUnsupported },
+        { "gssapitrustdns", oUnsupported },
+        { "gssapiclientidentity", oUnsupported },
+        { "gssapirenewalforcesrekey", oUnsupported },
 #endif
        { "fallbacktorsh", oDeprecated },
        { "usersh", oDeprecated },
@@ -516,10 +527,30 @@ parse_flag:
                intptr = &options->gss_authentication;
                goto parse_flag;
+        case oGssKeyEx:
+                intptr = &options->gss_keyex;
+                goto parse_flag;
        case oGssDelegateCreds:
                intptr = &options->gss_deleg_creds;
                goto parse_flag;
+        case oGssTrustDns:
+                intptr = &options->gss_trust_dns;
+                goto parse_flag;
+        case oGssClientIdentity:
+                charptr = &options->gss_client_identity;
+                goto parse_string;
+        case oGssServerIdentity:
+                charptr = &options->gss_server_identity;
+                goto parse_string;
+        case oGssRenewalRekey:
+                intptr = &options->gss_renewal_rekey;
+                goto parse_flag;
        case oBatchMode:
                intptr = &options->batch_mode;
                goto parse_flag;
@@ -1168,7 +1199,12 @@ initialize_options(Options * options)
        options->pubkey_authentication = -1;
        options->challenge_response_authentication = -1;
        options->gss_authentication = -1;
+        options->gss_keyex = -1;
        options->gss_deleg_creds = -1;
+        options->gss_trust_dns = -1;
+        options->gss_renewal_rekey = -1;
+        options->gss_client_identity = NULL;
+        options->gss_server_identity = NULL;
        options->password_authentication = -1;
        options->kbd_interactive_authentication = -1;
        options->kbd_interactive_devices = NULL;
@@ -1268,8 +1304,14 @@ fill_default_options(Options * options)
                options->challenge_response_authentication = 1;
        if (options->gss_authentication == -1)
                options->gss_authentication = 0;
+        if (options->gss_keyex == -1)
+                options->gss_keyex = 0;
        if (options->gss_deleg_creds == -1)
                options->gss_deleg_creds = 0;
+        if (options->gss_trust_dns == -1)
+                options->gss_trust_dns = 0;
+        if (options->gss_renewal_rekey == -1)
+                options->gss_renewal_rekey = 0;
        if (options->password_authentication == -1)
                options->password_authentication = 1;
        if (options->kbd_interactive_authentication == -1)
author	Simon Wilkinson <simon@sxw.org.uk>	2014-02-09 16:09:48 +0000
committer	Colin Watson <cjwatson@debian.org>	2014-02-09 16:16:58 +0000
commit	950be7e1b1a01ee9b25e2a72726a6370b8acacb6 (patch)
tree	64829a84f903d7e2d3270c43e3f80df7db2a6a10 /readconf.c
parent	ee196dab7c5f97f0b80c8099343a375bead92010 (diff)

diff --git a/readconf.c b/readconf.c index 1464430a4..2695fd6c0 100644 --- a/readconf.c +++ b/readconf.c
@@ -132,6 +132,8 @@ typedef enum {
132	oClearAllForwardings, oNoHostAuthenticationForLocalhost,	132	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
133	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,	133	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
134	oAddressFamily, oGssAuthentication, oGssDelegateCreds,	134	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
		135	oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
		136	oGssServerIdentity,
135	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,	137	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
136	oSendEnv, oControlPath, oControlMaster, oControlPersist,	138	oSendEnv, oControlPath, oControlMaster, oControlPersist,
137	oHashKnownHosts,	139	oHashKnownHosts,
@@ -172,10 +174,19 @@ static struct {
172	{ "afstokenpassing", oUnsupported },	174	{ "afstokenpassing", oUnsupported },
173	#if defined(GSSAPI)	175	#if defined(GSSAPI)
174	{ "gssapiauthentication", oGssAuthentication },	176	{ "gssapiauthentication", oGssAuthentication },
		177	{ "gssapikeyexchange", oGssKeyEx },
175	{ "gssapidelegatecredentials", oGssDelegateCreds },	178	{ "gssapidelegatecredentials", oGssDelegateCreds },
		179	{ "gssapitrustdns", oGssTrustDns },
		180	{ "gssapiclientidentity", oGssClientIdentity },
		181	{ "gssapiserveridentity", oGssServerIdentity },
		182	{ "gssapirenewalforcesrekey", oGssRenewalRekey },
176	#else	183	#else
177	{ "gssapiauthentication", oUnsupported },	184	{ "gssapiauthentication", oUnsupported },
		185	{ "gssapikeyexchange", oUnsupported },
178	{ "gssapidelegatecredentials", oUnsupported },	186	{ "gssapidelegatecredentials", oUnsupported },
		187	{ "gssapitrustdns", oUnsupported },
		188	{ "gssapiclientidentity", oUnsupported },
		189	{ "gssapirenewalforcesrekey", oUnsupported },
179	#endif	190	#endif
180	{ "fallbacktorsh", oDeprecated },	191	{ "fallbacktorsh", oDeprecated },
181	{ "usersh", oDeprecated },	192	{ "usersh", oDeprecated },
@@ -516,10 +527,30 @@ parse_flag:
516	intptr = &options->gss_authentication;	527	intptr = &options->gss_authentication;
517	goto parse_flag;	528	goto parse_flag;
518		529
		530	case oGssKeyEx:
		531	intptr = &options->gss_keyex;
		532	goto parse_flag;
		533
519	case oGssDelegateCreds:	534	case oGssDelegateCreds:
520	intptr = &options->gss_deleg_creds;	535	intptr = &options->gss_deleg_creds;
521	goto parse_flag;	536	goto parse_flag;
522		537
		538	case oGssTrustDns:
		539	intptr = &options->gss_trust_dns;
		540	goto parse_flag;
		541
		542	case oGssClientIdentity:
		543	charptr = &options->gss_client_identity;
		544	goto parse_string;
		545
		546	case oGssServerIdentity:
		547	charptr = &options->gss_server_identity;
		548	goto parse_string;
		549
		550	case oGssRenewalRekey:
		551	intptr = &options->gss_renewal_rekey;
		552	goto parse_flag;
		553
523	case oBatchMode:	554	case oBatchMode:
524	intptr = &options->batch_mode;	555	intptr = &options->batch_mode;
525	goto parse_flag;	556	goto parse_flag;
@@ -1168,7 +1199,12 @@ initialize_options(Options * options)
1168	options->pubkey_authentication = -1;	1199	options->pubkey_authentication = -1;
1169	options->challenge_response_authentication = -1;	1200	options->challenge_response_authentication = -1;
1170	options->gss_authentication = -1;	1201	options->gss_authentication = -1;
		1202	options->gss_keyex = -1;
1171	options->gss_deleg_creds = -1;	1203	options->gss_deleg_creds = -1;
		1204	options->gss_trust_dns = -1;
		1205	options->gss_renewal_rekey = -1;
		1206	options->gss_client_identity = NULL;
		1207	options->gss_server_identity = NULL;
1172	options->password_authentication = -1;	1208	options->password_authentication = -1;
1173	options->kbd_interactive_authentication = -1;	1209	options->kbd_interactive_authentication = -1;
1174	options->kbd_interactive_devices = NULL;	1210	options->kbd_interactive_devices = NULL;
@@ -1268,8 +1304,14 @@ fill_default_options(Options * options)
1268	options->challenge_response_authentication = 1;	1304	options->challenge_response_authentication = 1;
1269	if (options->gss_authentication == -1)	1305	if (options->gss_authentication == -1)
1270	options->gss_authentication = 0;	1306	options->gss_authentication = 0;
		1307	if (options->gss_keyex == -1)
		1308	options->gss_keyex = 0;
1271	if (options->gss_deleg_creds == -1)	1309	if (options->gss_deleg_creds == -1)
1272	options->gss_deleg_creds = 0;	1310	options->gss_deleg_creds = 0;
		1311	if (options->gss_trust_dns == -1)
		1312	options->gss_trust_dns = 0;
		1313	if (options->gss_renewal_rekey == -1)
		1314	options->gss_renewal_rekey = 0;
1273	if (options->password_authentication == -1)	1315	if (options->password_authentication == -1)
1274	options->password_authentication = 1;	1316	options->password_authentication = 1;
1275	if (options->kbd_interactive_authentication == -1)	1317	if (options->kbd_interactive_authentication == -1)